Transcript of Internet Caucus Panel
Discussion.
Re: Administration's new encryption policy.
Date: September 28, 1999.
Source: Tech Law Journal recorded the event, transcribed the audio recording,
and then converted it into HTML. Parts of the recording were of low quality, and
there may be errors in this transcription. Copyright 1999 Tech Law Journal. All
rights reserved.

William
Reinsch. I appreciate the Congressman
Goodlatte's comments. He has been steadfast in his efforts on this, and I
think the legislation, as I have said before, _____would not as prolonged as it
is, were it not for his personal efforts, and his relentless approach to this. I
have had the pleasure to testify with him frequently, and it has been truly a
pleasure.

On the other hand, if I never have to do it again, that would also be all
right. [laughter] I found a way to have this issue
behind us.

Let me say briefly what we have done with respect to my little piece of this,
and then I will turn it over to my colleagues, who will speak about their
pieces, and I urge you to stay and listen to all of them, because what the White
House announced on September 16 was a three part program, and it is the other
two parts that my colleagues are going to talk about that really provide front,
the foundation, and the rationale for the export control decision, and have
enabled us to go forward with export control changes that we think are helpful
to the marketplace, and the industry, but which at the same time we think
preserve our national security and law enforcement equities. Unfortunately, in a
sense, in the media the export control changes have captured more of the news,
which I can certainly understand under the circumstances, but in fact it is the
other two legs of the stool that really are the more important, because the
provide the foundation for what we have done.

One of those stools is additional tools for law enforcement, which are
embodied largely in the Cyberspace Electronic Security Act, and Jim Robinson is
going to address that shortly.

The other leg is additional attention being paid by the government, centered
initially in the defense department, on development of more secure and more
private systems. And we hope that we can use the Defense Department's effort and
a substantial amount of money that they are going to put into that project to
develop model systems, not only for themselves, but also for the federal
government, and ultimately, we hope, the private sector as well. A lot of that
has to do with authentication, and not solely with data encryption. I just want
to make that comment in passing, and Lin Wells, from the Department of Defense,
from Deputy Secretary Hamre's office, is going to go into greater detail on that
as well.

Peter Swire, who is the President's privacy advisory, is also going to talk
about how the decision we are making, in _____ with the administration's
privacy objectives, and is consistent with those.

What I want to do is simply to describe to you what we have done in the area
of export controls, in gross, if you will, and then wait for questions, if you
have any specifics, recognizing that the reg is not up here yet, and some of
this remains for consultation with industry.

What we have done is attempt to simplify a somewhat complicated export
licensing regime, now, in which we divide the world by products, by countries,
by sectors, and have a number of cross-cutting matrices that has produced a lot
of inquiries, and I think generally, created some confusion. And we have tried
to simplify substantially, and in the process, recognize what I have been saying
from the beginning in my testimony on this, is, and that is, that our policy is
designed to reflect market realities.

We've taken account market -- we have taken market realities into account. We
have observed the marketplace closely in the year that has intervened since our
last policy update in 1998, and we believe what we have done reflects where the
marketplace is going on this subject. In that regard, we have essentially,
divided products in sort of in two ways.

One, by level, we have conformed with our Wassenaar
Arrangement international obligations pursuant to the agreement that was
struck last December, and will be decontrolling products at either the 56 bit
level, or the 64 bit level, depending on what kind of product it was, consistent
with Wassenaar rules. And so, below those levels, we will not be requiring
licenses, or license exceptions. We will not be requiring reporting.

Above those levels we are dividing products essentially into two categories,
what I would call retail products, and the fact sheet which we passed out which
is available on several websites, including BXA's,
details in a little bit more language what, how we define as retail, but
essentially, these are products which do not require substantial support for
installation and use, and which have been specifically designed for individual
consumer use, and other things, the details of the definition is one of the
things we _____ consult on.

That is one category. Everything else is in the other category. And we will
refer to that publically as custom, or customized, products, specialized
products, or some other term like that. But, we intend to define retail
universe, and simply put the rest in the other category.

All of these products will go through the same one time technical review that
is currently part of our policy, and we envision that continuing to be part of
our policy, the same kind of review we are undertaking now.

In addition, there will be post export reporting requirements for all of
these products, that is in these latter two categories -- retail and custom
products. The principles, if you will, by which we will develop those post
export required, reporting requirements, are first, that, we will not ask
businesses to report information that they are not now collecting, and we will
attempt to follow business models in the requirements that we set up. This is an
area where we intend to consult extensively with manufacturers, and other parts
of this change, before a reg we have some more to learn about business models,
and we want to have an extensive consultation with industry about that. We have
already begun that informally, but we will be done some more formal things
shortly. We are committing to finish and issue our reg not later than December
15.

Now, with respect to those two products, the difference in controls is very
simple. Everything in both the retail and the custom product areas, are going to
be let out on license exception, which means after the one time review, without
have the necessity of getting an individual license. They'll all be let out to
private, individual, and commercial end users. The sole difference is that for
the custom products, for government and military end users, you will need an
additional license. That is not a round about way of saying those licenses will
be denied. In fact, those licenses are required now, and those licenses are
often approved now. So, simply the fact that we require a license does not mean
denial. But a license will be necessary for custom products in the government
military end user area. It will not be necessary for the retail products, even
for government end users.

This is a much simplified system. It is a way of freeing up that product
that, I think, goes beyond the PROTECT ACT, and is,
Mr. Goodlatte and I can argue about this, we haven't actually had an argument
about it yet, but I think it's, it's comparable in some respects, perhaps not in
all, to liberalization in the SAFE ACT. There are some
differences. It is consistent with our Wassenaar Arrangement international
obligations. It is consistent with market realities, as we have observed and
understood ____ in the last year.

And, I think that it is permitted because of the other two legs of the
announcement, which my colleagues are going to talk about. Now, having said
that, the only comment, further comment I would make is I am happy to do, have
questions about this, recognizing that we still have a consultation process to
go through, and we don't have a regulation to share it with you.

What has happened since September 16 though is that, unfortunately, the fine
intelligent thoughtful questions that would come from a group like the Internet
Caucus, have not been predominant. And what has been predominant is the comments
that have come from the paranoid caucus, which I am sure is a different group of
people from anyone in this room.

And they are all looking for the fine print. They are looking for the catch
in what we have announced. And my final statement is simply, there isn't any
catch. You know. It is what it is. And this isn't a scam, or some kind of game.

We have made the announcement we have made. And we have made it because we
think that this is the best way to enhance law enforcement's tools, capacity to
keep up with, or deal with a rapidly changing world in this area. Now, we have
done it in a way that we think is consistent with our obligation to defend the
country's national security. That is what it is. There isn't any catch. And I
would be glad to go into detail with you about that at a later point. But, I
don't, I don't, I want to be clear about our intensions here. There isn't any
hidden agenda.

With that explanation I think I will close and defer to, I believe, Mr.
Robinson is going to be next? I that right?

James Robinson:
I am Jim Robinson. I am the Assistant Attorney General for the Criminal
Division in the Justice Department. And
has been noted, there has been, as we know, a long, sometimes divisive, debate
over encryption policy. And I guess I would say that, puts me in mind, new
developments of some comments that Justice Felix Frankfurter once made in a
Supreme Court opinion, in which he said, "wisdom so seldom comes, that it
ought not to be rejected simply because it comes late," I suppose, you
could argue.

I think that we have come to the conclusion that the best way to approach
these issues that have been subject of serious concern by the people who are
hear and members of this caucus, approach it in the context of cooperation,
rather than confrontation. And it has been our view, from the law enforcement
perspective, that among the considerations that need to be at the table in
discussing this important topic was the need, not only to protect the privacy of
citizens, and not only to protect the interests of industry for business
opportunities, but also the interests of the American people for national
security and public safety.

The September 16th announcement is a first step in trying to accommodate each
of these important areas. As part of the proposals, as has been mentioned is,
Cyberspace Electronic Security Act of 1991, 1999 I am sorry, CESA. This
legislation would support the use of encryption by legitimate citizens to
protect privacy, and would at the same time also recognize the growing use of
encryption by criminals seeking to hide evidence. And this a very serious
proposition for those of us in law enforcement.

I was the United States Attorney for the Eastern District of Michigan twenty
years ago. We didn't have to worry about this. If we had probable cause, we
could seek and secure a search warrant to seize documents, stored documents. We
could also seek a court order for electronic surveillance. And we did not
encounter unreadable gibberish. And, what we are seeking with regard to law
enforcement is to the brave new world where encryption increasingly will become
widespread. And, I think it can have serious repercussions, and I think it
better to cut, to have this debate, not in the wake of a situation in which we
have been unable to recover a kidnapped a victim, or prevent a major terrorist
act, because of our inability, having seized material, to read it in a way that
allows us to prevent criminal activities.

The components of CESA seeks to balance the needs of privacy and public
safety. It establishes significant new protections for the privacy of persons
who appropriately use encryption, but also assists law enforcement's efforts to
maintain its current ability to obtain usable evidence in court as encryption
becomes increasingly more common.

Just to summarize briefly. The number of key provision in the legislation. It
provides special protection for decryption keys stored with third party recover
agents, and establishes limitations on government use and disclosure of those
decryption keys obtained through court processes. These provisions will protect
privacy, will not in any way limit any person's individual choice about whether
to use a recovery agent or not. This is a re-emergence of the Clipper Chip
approach to this issue.

CESA will also authorize appropriations to the technical support center at
the Federal Bureau of Investigation, which
will serve as a centralized technical source for federal, state, and local law
enforcement, as it seeks increasingly to deal with situations in which we
appropriately, through court authorization, secure access to communications and
stored electronic data, which because of powerful encryption, we won't be able
to deal with without the technical capacity to address it.

And finally, it protects the confidentiality of government techniques
utilized to obtain, usable evidence, techniques, such as those that we expect
will be developed by the technical support center, and will assure that
proprietary information, provided to the government to assist us, in provided,
developed by the government, can be, to the extent consistent with
constitutional limitations, be protected from disclosure, so as to destroy the
usefulness of that information.

I believe that in adopting this policy the administration has altered the
encryption debate as has been noted. I think that the administration is trying
to work towards a number of goals, all of which are very important. And from a
law enforcement perspective, it is very important that the vital interests of
law enforcement to protect the public not be left on the cutting room floor, as
we continue on with the development of these important legislative proposals.

We continue to be concerned that criminals and terrorists will benefit from
strong encryption, and will attempt to cloak their communications and their
evidence through the use encryption.

But, we cannot hold the sea back. We know that. We have to deal with a new
world of technology that has happened over many many years with lots of
technological developments, and this is another one we are going to have to deal
with, and I think a cooperative approach, a balanced policy, is the best way to
do it. We think that the policy that has been announced is one that has great
merit. And, we from a law enforcement perspective, support this approach and
look forward to working with Members of Congress in advancing these proposals.

Linton Wells:
My name is Lin Wells. I am the Principle Deputy Assistant Secretary of Defense
for Command, Control, Communications and Intelligence. The policy that was
announced on the sixteenth of September has three pillars to it.

One was strong information security and privacy. The second was a new
framework for export controls. And the third was updated tools for law
enforcement.

What I would like to talk about is the Defense Department's interest in the
information security, and some of the reasons why we support the national
security perspective, the new export control regime.

Defense is a big player in this information security world. We have over 2.1
million computers, and over ten thousand networks on any given day. We are
spending something over 500 million dollars, half a billion dollars, to put
together a comprehensive security management infrastructure.

When we talk about the security management information security, we often use
the term information assurance. And this to us means five things. It means you
must be able to protect the confidentiality of the information in your network.
It means that you have to maintain the integrity of your databases. It means you
must be able to authenticate and identify who is in your networks. And it means
you must be able to non-repudiate, if you will, a contract signed in cyberspace
cannot later be repudiated. And finally, the information has to get there. The
infrastructure has to be available.

Secretary Reinsch talked about the authentication phase of encryption. This
is very important to us, as we have seen more and more penetrations into our
networks. We have to know who is in those networks.

We also know we can't do this by ourselves. This has got to be a partnership
between the government and private industry. The tools of the commercial
marketplace are getting stronger. We need to find a way to leverage them, and
then to build on them, so the government products, as needs be for our own
particular needs.

The point is we can't do it along. Therefore, we have a vested interest in
promoting the development of encryption tools in the private sector, not
encryption, information and security tools, in the private sector. And acting as
a facilitator and a catalyst for bringing these along together.

This also is a question, if you will, of critical infrastructure, which there
is not time to get into today. But it is intimately involved in this public
private sector partnership.

We feel very strongly that security infrastructures and the deployment of
security products should neither be mandated nor prohibited. There has been a
lot of discussion about key recovery, key escrow, whatever tag the techniques.

In defense, one of our defense mega centers, which writes contracts, does
over 40 million dollars worth of contracting per hour. There is no way from a
business practices point of view that we are not going to be able to recover the
information generated by the employees in that center. We have to have to have
some one to recover it if it is encrypted and someone through dishonesty or
mistake locked it up. So, we have a vested interest that in no way is nefarious.
It is purely a business practice in maintaining key recovery techniques.

I turn to the export controls briefly. The three pillars on which the export
control rests is a meaningful technical review, a streamlined reporting
procedure that is consistent with business practices, and the ability to deny to
military, government, or terrorists end users the products that circumstances
permit. Those are the sine quo non from the national security community's point
of view. Because those are part of the policy, we are more than pleased, more
than happy to support the relaxation of export controls in other areas.

Some have characterized this as the national security community caving in to
the export controls. That is not at all the case. There is very strong support
for this program from the national security community.

Peter Swire:
Greetings. My name is Peter Swire. I am the chief counsel for privacy in the
White House. And, John Podesta had hoped to participate today in this. As you
know, he was the Chair of the government's encryption working group. He,
unfortunately, had another engagement, asked me to come and speak on the topic.

I am going to talk briefly about my own background that is relevant, about
the administration's process, and how we got up to September 16th, and then some
things about law enforcement, and where we stand now in going forward.

As chief counselor for privacy, part of the background is that I taught the
law of cyberspace in law schools, including encryption, and, Ohio State
University, where I taught, there is a scholarly article on encryption called
the "Uses and Limits of Financial Cryptography, A Law Professor's
Perspective." And, I say this in part to show that over the last several
years the administration has continued to bring in the people of a lot of
sources, many people in the Justice Department,
Defense, and other agencies who have learned over time more and more about
encryption, and more and more how vital it is within the Internet
community and the e-commerce world. And, throughout the many different agencies
and throughout the Congress and industry, we have had a gradual learning about
the issue, and I think that helps explain at least part of the evolution in
policy over time.

The administration process leading up to September 16th, what you see here
today is, I think, a reflection of the many different sorts of agencies and
goals that were involved together in trying to come up with an overall package
that is good policy for the country. And so we have national security concerns,
and law enforcement concerns. We want to have strong electronic commerce. We
want to have the privacy and security individuals protected in our new
electronic age.

And the questions are all along, how do we put together a package that meets
those different goals. And those are all goals we want. And so, that is a big
challenge.

In terms of the announcement in September, there have been reports that the
timing, or the exact content of the announcement was very tied in with
particular Presidential politics for next year. I would like to say that that
misses the mark. That that, those reports do not match the process that I was
involved in, and that I saw. And I think that is relevant to you all as you look
at the efforts here to get encryption policy right for this next period.

When I taught the law of cyberspace I taught encryption. And when we talked
about law enforcement and national security from two different perspectives,
both of which I think have a lot of validity, and informed why this has been a
hard problem. One perspective is one that Congressman
Goodlatte, I heard, on TV recently express, and I think he did it very well,
which is a perspective that encryption prevents crime. That if we can send our
trade secrets within companies, if we can do our contracts within the Pentagon,
if we can send our personal letters to our loved ones using the Internet, if we
can use corporate intranets, in all of these ways, having this security wrapped
around our communications, stops bad guys from taking our information. It is a
way to reduce crime. And that is an important truth and insight.

There is another important truth and insight also. Which is, that if we have
bad people -- terrorists, drug cartels, your favorite kind of bad people -- if
you have bad people that have hard drives full of encrypted information, or have
a worldwide email network full of encrypted information, they can store data, or
communicate data, free from scrutiny if there is strong encryption. They can
have a get out of jail free area on their hard drive that nobody can read, and
keep records in a way that nobody criminal enterprises have never been able to
do in history. That is a valid truth too.

What has been so hard on encryption is that both of these things are true.
Encryption helps protect against crime. Encryption can also be used for crime.
And as we have been learning as a society about how to deploy strong crypto, and
how to use it, we have faced really difficult problems about to resolve those
truths. What I think we have today, and we have heard from the panel, from the
different parts of the administration, is that as of September 1999, the
administration is saying that the package that we are now supporting, on the
basis of having looked at how this really works, is a package that will let
Defense Department, and the rest of government have strong encryption to do the
things we need to do, that is going to allow e-commerce to use encryption in
many important ways that will foster e-commerce, and, that deserves a tailored
response to the particular law enforcement problems that do come up from
encryption. And that tailored response is the CESA bill, the Computer. I am
loosing the acronym right now. But, that the Computer Encryption Security Act? I
am sorry.

Robinson: Cyberspace ...

Swire: Cyberspace Electronic
Security Act. Sorry. I have encryption anxiety here. I can't get my acronyms
right. The, the, a couple of points about CESA to point out. One provision is
that trade secrets should not be easily disclosed in court. And investigative
techniques of law enforcement should not be easily disclosed in court, and thus,
lost forever. And so, consistent with Constitutional protections, we ought to
get the right rules in place so that crypto related legal things don't get
exposed unnecessarily.

The second provision is a privacy enhancing provision. It is based on choice.
If you choose to create a business model. If you choose as an individual to have
some company keep key related information, CESA would improve the level of
privacy protection over the law today. It would say, you have to get a court
order under the standards laid out in the statute, and only then can that third
party provider hand over key related information. Today, if you go to the third
party, there is no such legal requirement. This is a privacy enhancement. It is
related to encryption. It is a tailored response.

And, the last part of CESA is that we should fund law enforcement to have
capabilities to keep up with the information age. That they have to learn
computers, just like all the companies are learning computers. And we should
fund that adequately. I think that is a tailored response. It is a common sense
response. It respects law enforcement and national security, while building an
encryption world that is going to help the e-commerce and privacy and security
and these other goals we are all trying to achieve.

Thanks.

John Schwartz:
We have a little time for questions. I would like to start off by asking
Congressman Goodlatte, in light of all that has been said here right now, what
does this mean for the SAFE Act? If peace has really broken out, is the bill
moot? Are you still going to go back? And I would like some of the panelists to
discuss your response.

Rep. Bob Goodlatte: Thank you
John. I was going to pose a question myself. You said it all right. I will
answer yours.

Schwartz: You can answer my
question with a question, as well.

Goodlatte:
I know we also have Congressman Curt
Weldon to come and give his perspective. We would like to give him an
opportunity to do that. But the answer to the question regarding the SAFE
Act is that it is alive and well. Curt just asked me when I originally
introduced it. It was back in 1996. This is the third Congress in which it has
been introduced. And it has grown from having one hearing held in Judiciary,
and a handful of cosponsors, to 258 bipartisan cosponsors. It is ready to go to
the floor of the House.

Whether and when it goes to the floor, I think, depends in large part on what
we are short on at this point in time, and why this panel discussion is so
timely, and that is the details. The presentation made by the administration, I
think, is long on promise in addressing all of the different problems that they
mention and that the SAFE Act is intended to address. but it is short on detail.
And so, in that regard, I would like to ask the members of the panel a couple of
questions.

One. One of the big issues here in terms of liberalizing export control is
making sure that companies that manufacture these products are able to get them
on the Internet and marketplace in a timely fashion, while at the same time
giving the administration an opportunity to look at them, to determine what
effect they may have on our national security concerns, and others, and that is
called in the SAFE Act and in the administration proposal, a one time technical
review. We don't have many details on what that means, and I am hoping that Bill
Reinsch can tell us precisely what it does mean, what type of information
companies will be required to provide as a part of the technical review, what
steps the administration will take to make sure that any proprietary information
will provided by industry is protected against hackers and industrial spies, and
how long will this review period last? The administration objected to the SAFE
Act as not providing a meaningful review prior to export, and so, we want to
know what one time technical review is, and a meaningful review, and what your
review process will include that the SAFE Act does not?

Reinsch:
Well. Let me respond to that the best I can. The SAFE Act, as I recall, was
amended in the House
International Relations Committee to change the time limit from 15 to 30
days. I suspect with your acquiescence, if perhaps now you support, 30 is about
what it takes us now on average. I am sure there are people in the room who will
stand up to say it took longer. But, on average, I think that that is a
reasonable number, and that is what we have been able to do, and that's what we
think we can do, and we strive for better, and I think as, as is always the case
with a change of policy, in the short run, there will be a hump, because
everybody will come in with products, and we are going to get backlogged.

But, and that is just in the nature, we don't, Congress has, has, declined
over the years to give us additional resources to wrestle with this problem. I
say that even though I don't think that either you or Weldon are on the Appropriations
Committee. So, you know, so we will get through the hump as best we can,
but, I think thirty days is a reasonable time period. And, I think that the
Congress seems to think so too, based on the House activity.

With respect to protection of proprietary information, or, I think, we have
an exceptionally good record at that. Most of the information that BXA
processes, if you will, is protected from disclosure by law. And, as a result we
have had built in over the years a lot of procedures to make sure that we can
maintain that standard. And, I think this information in that respect is frankly
as important as any body else's information as far as proprietary data is
concerned. We have a lot of it. And, I think we have a good record of not
letting it out. And, I don't expect anything to be different in this case. And,
I don't think, I am subject to correction from industry people in the audience,
I don't think that that has been a problem with respect to our stewardship over
encryption over the last two and a half years.

With respect to purpose and review, I would simply say two things. One, this
is not a new thing. You know, it is more, if you will, prominent piece of our
policy because we have eliminated a lot of other pieces of our policy. But in
fact, we have done technical reviews from the beginning. Industry has not only
not objected to them, but in many cases welcomed them.

As Mr. Goodlatte pointed out, his bill makes space for them, and provides for
them as well. This has not been a controversial concept. If you want to know
exactly what goes on with respect to the dialogue between the government and the
industry in technical review, I would suggest that you ask the industry, and ask
them to comment to you on what goes on. And, we don't envision what is going to
happen in the future as different as what has happened in the past.

Goodlatte:
Thanks. If I might ask one other question for our Justice Department folks, and
Bill, perhaps you could address this too.

In two parts: the first part, Bill Reinsch, the discussions that I have
privately with you and others have assured me that while all three of these
aspects of the administration's proposal are very important, that they are not
linked to each other, and my question is, will the export regulations be changed
or delayed from your December 15 deadline, if the Congress has not passed the
Cyberspace Electronic Security Act by that date?

And then for the Justice Department: under CESA the government may obtain
encryption keys if there is not constitutionally protected expectation of
privacy in the plain text. Does this limitation also cover information that is
not constitutionally protected, but is only protected by statute, as is the case
with medical records, and bank records?

Reinsch:
December 15 is a no later than date. We hope that it will be earlier. In our
experience, in the past, particularly in 1998, it took a good while, because we
had a consultation, we envision going with the new and final proposed regs, so,
the reg will lead the way. I don't see circumstances that would have us going
beyond that date, including the non-enactment of CESA. And, that is a firm no
later than date as far as I am concerned. And the announcement that we made is
very clear that there are no contingencies or conditions attached to it. What we
did say is that we are all, and this means the Department of Commerce, the
Department of Defense, the Department of Justice, and the other agencies of
government in support of CESA, and committed to urging the Congress to move
forward quickly and expeditiously. But, that doesn't mean that the export
control liberalization is contingent upon its enactment. It is a large,
significant, major piece of legislation, as Mr. Robinson said, and I think that
one of the things that Congress will want to do, and we hope they will do, is
look at it closely. But, that is their obligation.

Schwartz: Congressman Weldon,
thank you very much for being here. Do you have any questions.

Rep. Curt Weldon:
Thank you. Let me see if I can liven things up here in the last couple of
minutes of the luncheon. First of all, I apologize for being late. And I thank
Bob and the members of the caucus for inviting me here.

Pardon me if I seem a little bit confused to our panel, but, I am, and have
been, with the change in direction which has occurred. But before I begin, let
me say at the outset one of my biggest projects for the past four years has been
to build what is becoming the first smart region in America, linking up all of
the institutions within a four state region -- Pennsylvania, Delaware, New
Jersey, and Maryland -- _____. In fact, over the weekend, I hosted the Minister
_____, who is the Minister of Information Technology for Malaysia. As we signed
an ____ with them for uplink downlink ties between our hub initiative in the
four states, and the new Malaysian super-computing corridor project that they
are building in Malaysia. So, I am a strong advocate for the use of information
technology.

But my other hat is to chair the Research Committee for National Security.
And when Bob introduced his bill three years ago, my door was pounded
incessantly by the Defense Secretary and his staff, by the Director of the CIA,
and by the head of the NSA, and I would note for the record neither the CIA nor
the NSA is here today.

Who is actually speaking for them today, I might add? OK.

NSA and CIA came in, and in a very intense way, lobbied me personally, and I
am not a computer expert, nor am I a lawyer, and they asked me to give access to
my subcommittee and the full Armed Services Committee to look at the security
implications of the change in Bob's legislation. I respect Bob. I think that he
is an outstanding member. But I felt that I owed it to my committee, and my
responsibility to Congress to listen to what the administration was going to
tell me.

We arranged a series of classified hearings and briefings. And, as with any
Member of Congress expressing concern about the ability for our forces involved
in a hostile environment to be able to respond quickly, ____ back to 1991 in
Desert Storm where my understanding is that our commanders in the field had
Saddam Hussein's commands before his own command officers had them, because of
our ability to intercept and break the codes of Saddam's military. I want to
make sure that we have that capability in the future. I responded in a very
positive way to the argument that was being made by the CIA, by the NSA, and by
DOD. And we took some very tough positions.

In fact, Ron Dellums and I offered the amendment last year that had only one
dissenting vote in the House, and this year passed by a vote of 48 to 6.

In the past year none of those briefings have changed. And the people who
have come to me as a Member of the National Security Committee, there has been
no lessening of their impression of the threat. Yet all of a sudden I am told,
and John Hamre, I think, he made the courtesy of calling me in advance, that
there was a change.

Now, I agree with the gentleman from the White House, for the administration,
that it was coincidence that this happened the day before Vice President Gore
went to Silicon Valley. I agree that that was just a coincidence.

But the point is that when John Hamre briefed me, and gave me the three key
points of this change, there are a lot of unanswered questions. He assured me
that in discussions that he had had with people like Bill Gates and Gerstner
from IBM that there would be, kind of a, I don't know whether it's a, unstated
ability to get access to systems if we needed it. Now, I want to know if that is
part of the policy, or is that just something that we are being assured of, that
needs to be spoke. Because, if there is some kind of a tacit understanding, I
would like to know what it is.

Because that is going to be subjected to future administrations, if it is not
written down in a clear policy way. I want to know more about this end use
certificate. In fact, sitting on the Cox Committee as I did, I saw the fallacy
of our end use certificate that we were supposedly getting for HPCs going into
China, which didn't work. So, I would like to know what the policies are. So, I
guess what I would say is, I am happy that there seems to be a comming together.
In fact, when I first got involved with NSA and DOD and CIS, and why can't you
sit down with industry, and work this out. In fact, I called Gerstner, and I
said, can't you IBM people, and can't you software people get together and find
the middle ground, instead of us having to do legislation.

But I am not convinced that what we are doing here is necessarily logical.
And I am not convinced that all of us, in fact, have the same understanding of
what it is that you are coming out with in terms of a new policy position. And I
guess we won't know that until the terms of the December 15th regulations are
spelled out, and then we can debate the fine points, which is part of what Bob's
question alluded to today

I don't want to hurt industry. In fact, I have advocated that we give
significant new tax breaks to the encryption and software industry in this
country to give them more incentive to stay in America and do their work here.
But, I am also, as a senior member of the Security Committee, as a Chairman of
the Research Committee, to seeing 47 billion dollars a year of our tax money
going to Pentagon's IT systems, I want to be absolutely certain that in terms of
our ability to deal with intelligence overseas, to be able to have information
dominance overseas, to be able to use the kinds of tools that the CIA and the
Defense Department needs in adversarial relationships that we are in fact
providing that through this new policy.

So, I guess the devil is in the details, the proof is in the pudding, and I
am going to withhold my support for what you have done until I have seen the
details that you are supposedly going to review for us on December 15.

My question is also why wasn't the head of the NSA and CIA invited to appear?
Was that the panel? Or, was that the decision of the administration?

Jerry Berman:[He
said he invited the administration to send whoever they wanted.]

Weldon: My only question is,
since, the administration used the CIA, and the NSA, to come to me as a Member
of Congress to argue their position for the past two years. I would like to have
had the NSA and the CIA here at the table so I could ask them the same questions
that I am posing you. And I am not going to be happy until I get that
opportunity.

______?: Congressman, we will
make that opportunity available to you.

Weldon: I think it should have
been done though in a public forum.

______?: Thank you.

Swire: Just one small, in the
announcement on the 16th that Deputy Secretary Hamre spoke for Defense and
national security, Attorney General Reno spoke for Justice and law enforcement.
Secretary Daley for Commerce. I was asked to speak on privacy, as a
representation of important goals that we were trying to meld together for this
overall policy.

Weldon: I understand that. And
John Hamre told me that when he called me a of couple of days before the
announcement was going to be made. My point is, that when the administration
wanted people to carry their water up on the Hill, they sent the head of the CIA
and the head of NSA to see us personally. They did not have John Hamre do it.
Although John did part of that. And I think that we should be hearing from the
CIA and NSA directly because they are the people I am concerned, in terms of
being able to break into systems of foreign adversaries, of both real and
potential adversaries. I want to hear from them.

And I think we owe it to the public, as we have had an about face in this
policy, and that is what I think that it is. I want to hear what has changed,
and whether or not they are satisfied. Once again, I am not an information
technology expert. I am not a lawyer. But, I want to hear from them. I want to
get them to look me in the eye to tell me they are satisfied, and they are
satisfied because what we have done here is consistent with their ability to
provide the kind of level of security that we need in the future.

Wells: If I could say
Congressman, one of the piece of the rollout was that the national security
community will need additional tools. And, we look forward to the Congress to
support that with appropriations.

Weldon: And we will do that. We
have given, for the past five years, more money for the issue of information
dominance in our defense bill, than the administration's request in each year.
In fact, both ______ and John Hamre have had full and unequivocal support for
all of their needs, as well as the needs of the CIA and the FBI, I mean the CIA
and the NSA.

Schwartz: Congressman, I didn't
really think we headed off into dull before, but when you said you were going to
liven it up, you sure delivered on your promise.

I don't know that we have room, time for more for questions. I would like to
ask one more, just to toss it out, because their is one distinction that is
getting some attention. _____ for asking and getting a response on. And that is
the distinction in the three tier platform of retail products versus everything
else. One of the most important cases going on now is about source code being
promoted by an academic, Professor Bernstein, and the export controls have been
called a prior restraint, a violation of the First Amendment, and yet if that
distinction is still going to be in place, it seems one of the most prominent
issues, is not being addressed. That is what I have heard, and I would like to
get some response from y'all on whether this thing is off.

Reinsch:
We have not changed our policy with respect to the export of source code, so to
the extent there was a problem, if you want to use that word before, the problem
continues. I wouldn't want to comment on pending litigation in any substantive
way, and I don't know what the, the, proponents of those various suits, of which
Bernstein is only one, intend to do. But, we haven't changed our policy on
source code. The court, when it considered this issue in that case, concluded
that, we think, erroneously, but concluded that, the system of licensing that
the government had did not meet the test, if you will, of an appropriate prior
restraint. ...

[Editor's note: The final few minutes of the
program were questions from the audience, and answers from the panel. It
is not transcribed here.]